In The News: Russia Cyber Threat and F5, HP, VMware and Firewall Vulnerabilities

Jack Smallpage, Information Security Officer at CyberLab, reviews the latest cyber security news and advises how to protect your data. He covers:

• • Joint Cyber Security Advisory on Russia Cyber Threat

• • F5 BIG-IP iControl REST Vulnerability

• • NCSC’s New Email Security Check Service

• • HP BIOS Vulnerabilities Patched

• • VMware Vulnerabilities – Patch Now!

• • Critical Bugs in Zyxel Firwalls and VPN’s Exploited

• • Book Your Free Consultation

The security world is constantly moving and evolving, with vulnerabilities, breaches and new guidance released daily. The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.

Joint Cyber Security Advisory on Russia Cyber Threat

The cyber security authorities of the United States, Australia, Canada, New Zealand, and the UK have released a joint advisory to help provide technical details and information on the Russian-aligned groups involved along with the mitigations and protections you can put in place to help secure your business against possible future attack: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA.

What Should I Do

• Update your systems and software

Vulnerabilities are discovered and exploited daily. As such, you must identify these vulnerabilities quickly and patch them as soon as possible, prioritising critical and high vulnerabilities on internet-facing equipment. Centralised Patch Management systems and Vulnerability Management Systems can help identify and remediate through automation, reducing the strain on your teams.

• Multi-Factor Authentication (MFA) & Passwords

RDP (Remote Desktop Protocol) is a protocol which allows a user to connect and remotely use one computer to another over the network. With business becoming more remote, you may likely use this in some areas of your business. However, given that RDP exploitation is one of the top initial ransomware infection vectors, it is crucial to restrict its use wherever possible and require additional measures such as MFA and VPN.

• User Awareness & Training

Phishing is STILL one of the most common threat vectors for breaches and is used to gain credentials or spread malware for various attacks. Make sure your people know how to identify suspicious phish and feel empowered to report messages even when they may have fallen for it themselves.

F5 BIG-IP iControl REST Vulnerability

F5’s BIG-IP is a family of software and hardware products covering application availability, access control, and security solutions. On the 4th of May, F5 disclosed a vulnerability in their iControl REST interface that could allow an unauthenticated attacker with network access to the BIG-IP system to execute arbitrary system commands, create or delete files, or disable services. More details can be found from F5’s advisory here: BIG-IP iControl REST vulnerability CVE-2022-1388 (f5.com) with further guidance from the CISA alert here: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388 | CISA

What Should I Do

Look through the advisory and identify whether you run any of the identified vulnerable versions. If you do, update your version to be equal to (or more recent than) the fixed version indicated. Where you are unable to immediately apply the update, you should instead implement F5’s temporary workaround by:

• • Blocking iControl REST access through the self IP address.

• • Blocking iControl REST access through the management interface.

• • Modifying the BIG-IP httpd configuration.

More details on how to implement the above workarounds can be found in the F5 advisory.

NCSC’s New Email Security Check Service

The UK’s National Cyber Security Centre (NCSC) have released a free to use tool this month which allows users to check any email domain against Email anti-spoofing and Email Privacy capability. The service checks you are using standards such as DMARC (anti-spoofing) and TLS (encrypted transit) properly using publicly available information only. You can access the service here: Check A Domain | Email Security Check (ncsc.gov.uk)

What Should I Do?

Access the tool and enter your organisation’s email domain (e.g. cyberlab.co.uk) to check that you are securely configured. If the report includes gaps, follow the guidance to secure your email.

HP BIOS Vulnerabilities Patched

HP have released BIOS updates this month to fix two high severity vulnerabilities affecting a range of their PC products with potential arbitrary code execution. More details, including the devices affected and relevant updates, can be found on the HP update here: HP PC BIOS – May 2022 Security Updates | HP® Customer Support.

What Should I Do

Whilst we always think about patching our software (whether manually or via a patch management tool), it is easy to forget about firmware/BIOS updates. Because there are additional risks involved around BIOS updates (especially in a remote setting), they can frequently be overlooked and ignored. However, firmware updates are still important and their vulnerabilities can still be exploited, so devising a patch management solution for your firmware/BIOS is essential.

VMware Vulnerabilities – Patch Now!

The NCSC (UK) and CISA (USA) government agencies have both issued a warning over this month’s critical VMware vulnerabilities, which are being exploited in the wild by cyber actors, some of which are believed to fall under the APT (advanced persistent threat) category.

An advanced persistent threat is a stealthy threat actor which gains access to a network whilst remaining undetected for an extended time. These actors are usually state-sponsored and intentional which make them a dangerous threat.

The vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Whilst the vulnerabilities require an attacker to gain access to your network first, once exploited, the attacker is able to bypass authentication methods and elevate their privileges to root (admin), whereby they would be able to cause further disruption.

What Should I Do

CISA have recommended that the impacted products are either updated or removed, with no other mitigation seemingly acceptable. With this in mind, we echo this sentiment by recommending the following:

• • Identify: Which systems and products are affected and the services that each provide.

• • Mitigate: Install the latest update as soon as possible using the VMware advisory here: VMSA-2022-0014 (vmware.com)

• • Isolate: Where impacted systems temporarily cannot be updated (or removed) for whatever reason, it is important to isolate them from the network as soon as possible to help reduce the likelihood of compromise.

If during your identification stage you notice any Indicators of Compromise (IoC), you should isolate the systems involved as soon as possible following the guidance found on the CISA advisory here: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control | CISA.

Critical Bugs in Zyxel Firwalls and VPN’s Exploited

To add to the list of exploited vulnerabilities detected this month, a critical vulnerability in Zyxel firewalls supporting ZTP (Zero-touch Provisioning) has been identified and is reportedly being exploited already. The vulnerability allows an unauthenticated and remote attacker to achieve arbitrary code execution as the “nobody” user on the vulnerable device. 

What Should I Do

The vulnerability affects the following models and firmware versions.

Affected Model	Affected Firmware Version	Patch Availability
USG FLEX 100(W), 200, 500, 700	ZLD V5.00 – ZLD V5.21 Patch 1	ZLD V5.30
USG FLEX 50(W) / USG20(W)-VPN	ZLD V5.10 – ZLD V5.21 Patch 1	ZLD V5.30
ATP Series	ZLD V5.10 – ZLD V5.21 Patch 1	ZLD V5.30
VPN Series	ZLD V4.60 – ZLD V5.21 Patch 1	ZLD V5.30

If you utilise any of the affected models, you should apply the patch (ZLD V5.30 as a minimum) right away. More information can be found on Zyxel’s advisory here: Zyxel security advisory for OS command injection vulnerability of firewalls | Zyxel

---

Outsourcing gives you access to highly qualified professionals. If you need specialised help or support, especially around cyber security, or the dull yet necessary hardware and software upkeep, it often makes sense to expand your search.

 – Emma Stott, Customer Service Director at CyberLab, for Is IT Outsourcing The Answer?

---

Conclusion

It has been a busy month for security, though certainly not uncommon. It is also important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month, and others such as Microsoft’s Patch Tuesday fixes, Apple’s 0-day, QNAP’s critical QVR vulnerability, and Cisco’s IOS XR 0-day and NFVIS vulnerability are just honourable mentions as examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the major security trends and alerts, which help protect your business and keep you cyber aware!

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.